https://community.cisco.com/t5/web-security/how-to-use-user-roles-in-ironport-wsa-7-6-using-acs-4-1/m-p/2442464#M4483 <P>Hello,</P><P>I want to give a client access to a S370 WSA quarantine and I am using an ACS 4.1 for external authentication; that would be used for administrators and for the client access (non-administration access).</P><P>I have created a user-role in the WSA that has access to the quarantine I want, but I need the user to be in the ACS. I created the user in ACS but my question is, what should I configure or change in the ACS in order for the WSA to recognize the user with the specific role I created and not like an administrator role.</P><P>Thanks for your help!</P><P>Sergio</P> Mon, 21 Apr 2014 19:31:52 GMT slizarraga 2014-04-21T19:31:52Z https://community.cisco.com/t5/web-security/how-to-use-user-roles-in-ironport-wsa-7-6-using-acs-4-1/m-p/2442464#M4483 <P>Hello,</P><P>I want to give a client access to a S370 WSA quarantine and I am using an ACS 4.1 for external authentication; that would be used for administrators and for the client access (non-administration access).</P><P>I have created a user-role in the WSA that has access to the quarantine I want, but I need the user to be in the ACS. I created the user in ACS but my question is, what should I configure or change in the ACS in order for the WSA to recognize the user with the specific role I created and not like an administrator role.</P><P>Thanks for your help!</P><P>Sergio</P> Mon, 21 Apr 2014 19:31:52 GMT https://community.cisco.com/t5/web-security/how-to-use-user-roles-in-ironport-wsa-7-6-using-acs-4-1/m-p/2442464#M4483 slizarraga 2014-04-21T19:31:52Z https://community.cisco.com/t5/web-security/how-to-use-user-roles-in-ironport-wsa-7-6-using-acs-4-1/m-p/2442465#M4484 <P>Hi,</P><P>&nbsp;</P><P>This can be done by configuring the Radius Class attribute on the ACS and mapping it with the user roles on the WSA.</P><P>&nbsp;</P><P>"To map RADIUS users to different Web Security appliance user role types, you assign a role type, such<BR />as Administrator and Operator, to a RADIUS CLASS attribute. Mapping different role types lets you<BR />specify the authorization level for each RADIUS user."</P><P>&nbsp;</P><P>Please go to Page 26-12 of the WSA user guide&nbsp;http://www.cisco.com/c/dam/en/us/td/docs/security/wsa/wsa7-5/user_guide/WSA_7-5-0_UserGuide.pdf for more information under the section "Using External Authentication".</P><P>&nbsp;</P><P>&nbsp;</P><P>Regards,</P><P>Kush</P> Tue, 22 Apr 2014 07:05:09 GMT https://community.cisco.com/t5/web-security/how-to-use-user-roles-in-ironport-wsa-7-6-using-acs-4-1/m-p/2442465#M4484 kushsriva 2014-04-22T07:05:09Z https://community.cisco.com/t5/web-security/how-to-use-user-roles-in-ironport-wsa-7-6-using-acs-4-1/m-p/2442466#M4485 <P>Thanks <SPAN class="fullname"><SPAN rel="sioc:has_creator"><A class="username" href="https://supportforums.cisco.com/users/kushsriva" title="View user profile.">kushsriva</A></SPAN></SPAN> !<BR /><BR />The document was for the WSA but it was usefull anyway. The class attribute in Radius uses number 25&nbsp; and in the Cisco ACS is indicated like this:<BR /><BR />ou=definedclass<BR /><BR />In the ESA I had to make a modification ("Map externally authenticated users to multiple local roles".<BR /><BR />Thanks again <SPAN class="fullname"><SPAN rel="sioc:has_creator"><A class="username" href="https://supportforums.cisco.com/users/kushsriva" title="View user profile.">kushsriva</A></SPAN></SPAN>!!</P> Tue, 22 Apr 2014 22:48:30 GMT https://community.cisco.com/t5/web-security/how-to-use-user-roles-in-ironport-wsa-7-6-using-acs-4-1/m-p/2442466#M4485 slizarraga 2014-04-22T22:48:30Z